Windows Admins NEVER leave the firewall on!

langenoir

This is a statement that my boss made yesterday. I won’t bore you with the backstory, but the statement remains. My boss asserted that “Windows Admins never leave the firewall on. The first thing you always do is turn it off.”

Now I’m not a huge fan of the Windows firewall. It has gotten better in W2k8. Arguments aside about doing what your boss wants because ultimately it’s his company, I have to ask.

Do you always turn off the Windows Firewall?

DevilWAH

At work it is controlled via GP's.

While its not the most amazing firewall in the world, it can still help slow down/stop the spread of viruses / malware that is internal to a network.

At home I do turn it of on my "play" machines, but keep it on on my main and wife's PC as it offer's that extra level of protection.

crrussell3

We have it turned on by gpo and thats how it stays. Its not a bad firewall, controlled via gpo very easily and its free. Can't beat that. It just adds to the defense in depth strategy. I know some companies that do turn it off as they believe their perimeter defenses keep them safe. But one of our biggest threats is from the inside (our end users) which is why we need some sort of endpoint firewall, whether it be the windows firewall, third party or even part of an enterprise antivirus solution.

4_lom

I was recently troubleshooting a malware infection for a local school corporation. Long story short, over 100 computers were infected by an internal cause, and the infection was spreading (slowly, but surely) to other machines. All computers had the Windows firewall disabled via GP. Now, the IT dept. for the school corp didn't think any thing of it, because they had a dedicated firewall appliance (Sonicwall, I think...) on the outer edge of the network.... Had the Windows firewall been left on, the infection probably wouldn't have been able to spread. Moral of the story: Leave the Windows Firewall on.

4_lom

crrussell3 wrote: »

We have it turned on by gpo and thats how it stays. Its not a bad firewall, controlled via gpo very easily and its free. Can't beat that. It just adds to the defense in depth strategy. I know some companies that do turn it off as they believe their perimeter defenses keep them safe. But one of our biggest threats is from the inside (our end users) which is why we need some sort of endpoint firewall, whether it be the windows firewall, third party or even part of an enterprise antivirus solution.

I see you are from Bothawui.... I am from Gand

it_consultant

Normally I disable the firewall in domain environments. A few times I have kept it on, it is not terribly easy to control open ports by GP, but it is doable. The new endpoint security through system center has an easier management console for the firewall so if I had that tool available I would probably use it. Symantec Endpoint Protection firewall caused more issues than I could count, so I never leave that firewall on. You find yourself skimming that line between safe computing and quick/painless access to resources.

langenoir

Heh, we use Sonicwall too. . .Ya, I turn the Windows Firewall off every now and again for troubleshooting, but generally I thought if it's not being a huge pain for something it's best to keep it on.

cyberguypr

We always have it on also via GPO. I agree that although not the best thing in the world it does provide an additional layer of security and therefore is valuable.

Please share the backstory is you can. Every time I read things like this I wonder what's the train of thought behind it.

ptilsen

I'll turn it off in certain environments, but I'd rather have it enabled and controlled. It takes a little more work, but an organization that carefully controls the Windows firewall on desktops and servers through any combination of GPO and manual control can seriously enhance its security.

demonfurbie

i turn it off when i setup the network and get it running after that i turn it on

i turn it on and off alot, when i roll out new updates/software deployments i turn it off

al3kt.R***

Naah, it's bad practice to switch off Windows Firewall, especially if its the only host-based F/W or HIPS you have installed on a machine. After all its free and does the job quite good (now for outgoing traffic too).
It just adds some maintenance overhead and requires some attention to special cases all of which can be handled easily with AD Group Policies, as folks here have mentioned.

blargoe

Since Windows 2008, I usually leave it turned on.

nel

all of the places i have worked, except one that comes to mind, disable the windows firewall. Im not saying its right, thats just what ive experienced.

SteveLord

Hated Windows XP firewall. However, since Windows 7 I have never had issues with it and it's always on.

paul78

langenoir wrote: »

My boss asserted that “Windows Admins never leave the firewall on. The first thing you always do is turn it off.”

Lol- it's statements like that which provides justification for why systems and network management are not authorized to make security decisions where I work.

ptilsen

nel wrote: »

all of the places i have worked, except one that comes to mind, disable the windows firewall. Im not saying its right, thats just what ive experienced.

I should add that I have experienced that as well. I like to leave it on and have a whole policy about managing it, but many businesses, small or large, leave it off.

langenoir

cyberguypr wrote: »

Please share the backstory is you can. Every time I read things like this I wonder what's the train of thought behind it.

So I’m putting up a HyperV cluster and I have two nodes working. We’re trying to incorporate a 3^rd with an older Xeon. I can get the host in the node, but Live Migration keeps failing. I check the box for different processor families, check the nic names, make sure the integration tools are up to date, check hardware virtualization in the bios, update the bios, nothing is working.

So my Boss decides he’s going to help out. The first question he asks;

Him: Did you install the HyperV role.

ME: (thinking) Oh silly me, I forgot to install the very thing that makes this work. This HyperV thing is so much more complex than the VMWare or Xenserver deployments I’ve done. Silly ol’ me. . .

So he’s going to remote in. He cannot seem to get VNC to connect. So I mention that maybe there’s something blocking it in the firewall and I’ll check. This is when he says the, “You have the firewall on, you should turn that off. This should always be the first thing you do when setting up Windows. Admins always to that.”

ME: (thinking again) Yup, that sounds like an MS Best Practice. . .

Then we go back and forth about the whole turning the Windows firewall off and it killing my RDP connection. He’s like, “ That’s ridiculous, there’s no reason that turning the firewall off should have anything to do with the Remote Connection.”

You guys know what I’m talking about here, the “The Windows Firewall Services is not running. Windows cannot automatically enable or disable Remote Desktop because the Windows Firewall service is not running. ” message.

So he thinks I’m retarded and I kill the firewall service, which in turn kills my RDP session. So he asks around the office because obviously I’m wrong and he’s right. They all agree with him and tell me that I just need to set the remote connection to “Allow connections from computers running any version of remote desktop.”

The problem is that I already have. Most of our environments are mixed with really really old hardware/software. So I don’t usually take the chance on NLA.

Good times right?

paul78 wrote: »

Lol- it's statements like that which provides justification for why systems and network management are not authorized to make security decisions where I work. [IMG]file:///C:\DOCUME~1\ADMINI~1.GLA\LOCALS~1\Temp\msohtmlclip1\01\clip_image001.gif[/IMG]

It did seem a bit overreaching to me.

WafflesAndRootbeer

I always double-bag it. A lot of IT people seem to think that you only need one Firewall (hardware or software depending on whatever the config is) on the whole network at the front end - and you can find articles where they voraciously defend such a philosophy as sensible - but that simply does not make any sense at all when your machines can be compromised by user negligence or infection from user input of removable storage devices or whatever else comes to mind.

RobertKaucher

We turn it off on the domain network and on when not on the domain network via a GPO.

undomiel

I usually try to leave it running but generally find that my coworkers have turned it off. If I'm "sneaky" and set it to be controlled by GPO though, they usually can't figure out how to get it turned off. I've noticed that the mentality of turning it off and then figuring out what is needed later usually ends up with the firewall being permanently off.

nosoup4u

SteveLord wrote: »

Hated Windows XP firewall. However, since Windows 7 I have never had issues with it and it's always on.

Same policy I follow

jmritenour

Generally, I leave it on. It's easy enough to manage in 2008, especially via GP.

higherho

Yes I always turn it off. According to DoD STIGS you should always use a third party firewall. In the off chance that something happens you can have it on until you get your 3rd party FW online. In this case HBSS. Why? Its mainly a nit pick that the windows firewall is not good enough security wise compared to other products and since its microsoft you dont want to throw all your egg's in one basket.

EDIT

My statement of course is talking about at work. I think the windows firewall is exceptional in 2008 and Windows 7. I personally leave these firewalls turned on at least on my personal equipment.

ptilsen

Honestly, I don't see the logic in third-party. The Windows firewall does everything I need a software firewall to do, and it is extremely easy to manage. I've yet to see an argument that third-party firewalls are better or even fundamentally different. They allow or deny access to ports based on source and destination IP addresses, applications, protocols, etc. Windows Firewall allows pretty robust control over this. Using Group Policy and even NAP can make for a very secure, reliable firewall setup.

Hypntick

We leave them on by default, now if we run into a weird issue it is something we disable in troubleshooting, but if that's not the culprit it goes right back on again. Very rarely have I seen it cause an issue, but stranger things have happened.

MickQ

Hypntick wrote: »

We leave them on by default, now if we run into a weird issue it is something we disable in troubleshooting, but if that's not the culprit it goes right back on again. Very rarely have I seen it cause an issue, but stranger things have happened.

Ditto. Especially in a post 2k3 world.

rsutton

The modern Windows firewalls are great. No reason to use third party.

DevilWAH

I suppose there is an argument to use a 3rd party firewall, but we have several hardware fire wall looking after the main network, I really see windows firewall as a additional wall in the way of attack, not the main deal.

Windows virus scanner is also another one we have started to use. we have other solutions for servers and traffic in and out of site. But for user machines its cheap and it does a very good job.

unclerico

When I first started in my current position I was appalled by the lack of security and the lack of awareness in general. I was able to get money for an enterprise assessment by a top notch security firm to show those in control just how vulnerable everything was. I was able to put a few things in motion before the pen testers got to us so they couldn't penetrate the perimeter and they couldn't penetrate my secure wireless network. Once they had physical access they owned each and every machine that did not have the Windows firewall enabled. Now, whenever my co-workers install software or do upgrades they disable the firewall and then re-enable after they are done. Internal threats are the most difficult to identify and stop. Why make things easy for them?

m3zilla

I guess I don't follow the train of thoughts here. Why enable windows firewall when I can have a dedicated firewall to protect my environment? To get to any of our servers, internal or external, you have to traverse at least 2 firewall. The one protecting your subnet, and the one protecting the server subnet.

If you have it enabled, who would manage that firewall? I don't think the network folks are going to have access to the servers, so that leave the server admins. So now, anytime a server needs to talk to another server in a different security zone, not only do we have to add the rules in our firewall, but we have to get the server admins on each side involved? No thanks!

sratakhin

Don't you need to protect users workstations as well? Or would you rather spend a week reimaging them?
Windows Firewall can be easily managed by Group Policies.